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Building  Security  into  Closed  Network 
Design . 

Several  common  closed  network  design  decisions 
adversely  impact  operational  security 

Closed  network  security  can  be  improved  by  correctly 
making  certain  design  decisions 
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Gathering  Observations 


Review  the  literature  of  network  security  best 
practices 

Interview  and  survey  closed  network  analysts 
Observe  production  closed  networks 
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Intended  Audience 


Network  designers 
Network  architects 

Information  technology  decision  makers. 
May  also  be  interested: 

•  Network  administrators, 

•  analysts, 

•  defenders, 

•  auditors, 

•  security  officers,  and 

•  information  assurance  personnel. 
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Background 

CLOSED  NETWORK  DESIGN 
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Closed  Network  Principles 


A  closed  network  is  a  private  network  which  cannot 
access  any  other  network  or  devices  which  are  not 
managed  by  the  designated  authority.  All  nodes 
on  the  closed  network  operate  under  policy 
dictated  by  the  designated  authority.  The  closed 
network  implements  access  restrictions  which  will 
prevent  attempted  communication  with  other 
networks. 
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Network  Types 
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Network  Guards 
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Cross  Domain  Violation 


A  cross  domain  violation  occurs  when  controls  are 
not  properly  enforced  while  moving  data  into  or  out 
of  a  closed  network. 
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Exploits  on  a  Closed  Network 


The  presence  of  malware  on  the  closed  network 
means  that  a  cross  domain  violation  has  occurred 
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Attribution  in  the  Closed  Environment 


One  key  difference  between  closed  and  open 
networks  is  that  in  a  closed  network  both  and 
attacker  and  the  target  are  on  the  same  network 
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The  Trust  Trap 


Closed  networks  are  inherently  accessible  only  to 
trusted  individuals  which  leads  to  decreased 
monitoring,  decreased  perceived  risk,  and 
decreased  technical  controls  built  into  the  network 
architecture* 


*  Stephen  Band  et  al.,  "Comparing  Insider  IT  Sabotage  and  Espionage:  A  Model-Based  Analysis,"  CERT 
Program,  Carnegie  Mellon  Software  Engineering  Institute,  Pittsburgh,  Technical  Report  CMU/SEI- 
2006-TR-026,  2006 
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Design  of  Security 

Security  must  be  addressed  from  the  outset 

Experience  shows  that  security  usually  cannot  be 
retrofitted  into  systems  for  which  it  was  not  an 
original  design  goal 
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A  Note  About  Topology 


Physical  topology,  network  topology,  transport 
topology,  and  application  topology 
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Findings 

CLOSED  NETWORK  DESIGN 
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Sensor  Placement  -  Sink  Holes 


A  sink  hole  gathers,  analyzes,  and  drops  traffic 
bound  for  unallocated,  unused,  or  otherwise 
selected  IP  addresses  and  ranges 

Sink  holes  are  particularly  effective  in  closed 
networks 


Software  Engineering  Institute 


Carnegie  Mellon 


22 


Sensor  Placement  -  Gaps 


Sensor  gaps  force  the  network  analyst  to  waste  time 
trying  to  find  missing  data 

Along  these  same  lines,  duplicate  sensors  are  also  a 
problem  for  the  closed  network  analyst 
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Sensor  Placement  -  Tunnels  in  the 
Closed  Network 


Tunneling  protocols  compromise  the  sensor  fabric 

Most  closed  networks  are  not  equipped  to  deal  with 
tunnels 

Tunnel  protocols 

•  e.g.  Teredo,  GRE  or  SSH 
Subversive  tunnels 

•  e.g.  DNS,  ICMP  or  HTTP  tunneling 
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Sensor  Placement  -  Application 
Proxies 

Proxies  prevent  end-to-end  monitoring  and  make 
attribution  more  difficult 

Some  closed  networks  do  not  capture  proxy  traffic 
logs  or  do  not  store  it  with  other  security  data 
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Sensor  Placement  -  Virtual  hosts 


Network  layer  taps  are  not  sufficient  to  monitor  virtual 
networks 

Virtual  sensors  at  the  hypervisor  level 
“Virtual”  data  should  be  integrated  with  other  data 
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Sensor  Placement  -  Monitor  at  Multiple 
Levels 

“Sensor”  ==  “Snort” 

A  sensor  stacks  can  also  include: 

•  An  IDS/IPS  (for  example  Cisco  MARS  or  Sourcefire) 

•  A  flow  monitoring  and  storing  system  (SiLK,  Argus,  or  NFSen) 

•  A  header  capture  and  storage  system 

•  A  full  packet  capture  and  storage  system  (Nikson,  NetWitness) 

•  An  application  layer  monitor  for  critical  applications  (email  guards, 
DNS  monitors,  SQL  scrubbers,  web  proxies) 

•  A  security  information  and  event  manager  limited  retrospective 
analysis 
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Topology  -  Data  Consolidation 


In  closed  networks,  security  data  should  be 
consolidated 

Operations  and  security  data  should  be  stored 
together 
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Topology  -  Closed  Network  Zones 


Closed  networks  should  be  divided  into  subnetworks 
of  computer  with  similar  security  requirements 

Enterprise  services  should  be  isolated  in  their  own 
zone  (DMZ) 
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Topology  -  Asymmetry  in  the  Closed 
Network 


Routing  asymmetry  has  a  significant  impact  on  the 
ability  to  measure,  model,  and  manage  networks 
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Addressing  -  DHCP  and  NAT 


Disallow  DHCP  and  NAT  on  the  closed  network 

If  DHCP  or  NAT  must  be  used,  log  and  monitor  and 
consolidate  mappings  with  other  security  data 
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Addressing  -  IPv6 


Avoid  IPv6 

IPv4  is  more  mature  and  better  understood 

The  main  benefits  of  IPv6  do  not  usually  apply  to  the 
closed  network 
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Addressing  -  DNS  Names 


Choose  unique  DNS  names 

Allows  for  identification  of  cross  domain  violations  via 
DNS  monitoring 
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Addressing  -  Monitor  DNS 


A  DNS  sensor  is  a  rich  source  of  information  and  is 
often  overlooked  on  closed  networks 
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Operations  and  Management  - 
Operations  vs.  Defense 


Network  operations  and  network  defense  teams  are 
often  separated  and  sometime  working  towards 
opposing  goals 

Communication  between  netops  and  netdef  is  often 
poor 
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Operations  and  Management  - 
Duplicate  Responsibility 


The  tiered  closed  network  security  structure 
promotes 

•  Inefficient  communication 

•  Ill-defined  boundaries  of  responsibility 

•  Over  reporting,  and  rework 
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Operations  and  Management  -  Lack  of 
Security  Budgeting 


As  closed  networks  grow,  planners  fail  to  account  for 
personnel  and  sensors  in  expansion  costs 
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Conclusion 

CLOSED  NETWORK  DESIGN 
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Observations 


Network  Architectural  Design  Decisions  that  Impact  Situational  Awareness 


_ Issue 

Topology 


As  opposed  to  the  singular,  opaque  network  core  described  in 


Use  multiple,  parallelized  cores  to  provide  natural 
chokepoints  that  allow  for  in  depth  monitoring,  a 


the  traditional  three-tier  model,  segregate  backbone  traffic  by  natural  segregation  of  data,  and  centralized  sensor 
Centralized  monitoring  security  profile.  data  collection  strategies. 

Although  data  fusion  is  not  a  silver  bullet,  consolidation  of  Network  designers  can  increase  network 
data  sources  enables  infrences  that  are  not  possible  via  each  defensibility  by  planning  for  data  consolidation 
Data  Consolidation  individual  source.  Consolidated  data  saves  analysts'  time.  during  the  design  phase. 

A  security  zone  is  a  subnetwork  that  contains  devices  with 

similar  security  profiles.  Zones  create  network  choke  points  The  recommended  approach  is  to  segment  similar 
that  can  be  protected  by  an  access  control  device  and  users  and  similar  devices  into  zones  and  to  monitor 


Security  Zones  monitored  by  a  guard.  those  zones  at  the  ingress/egress  point. 

Asymmetric  routing  implies  multiple  pathsthrough  the 
network  that  allow  the  outbound  portion  of  a  flow  to  take  a 


different  path  than  inbound  portion.  Asymmetric  routing 

hinders  or  prevents  all  except  the  most  simple  network  Force  traffic  to  flow  symmetrically  ormarry  both 

Asymmetric  routing  monitoring  tools.  side  ofthe  conversations  in  the  data  repository. 


Sensor  placement 


Sink  holes 


Sensor  gaps 


T  unnels 


Application  proxies 

Closed  Network 
Clouds 

Virtual  hosts  and 
networks  and  virtual 
sensors 


Monitor  at  mult  pie 
levels  of  the  stack 


Architects  should  make  accommodations  for  sink 

A  sink  hole  is  a  system  that  gathers,  analyzes,  and  drops  traffic  holes  for  use  in  directing  attacks  away  from 
bound  for  unallocated,  unused,  or  otherwise  selected  IP  sensitive  subnetwork  and  in  improving  situational 

addresses  and  ranges.  awareness. 

Sensor  gaps  imply  that  less  than  100%  of  alltraffic  is  being 
monitored.  Sensor  gaps  force  analyststo  make  assumptions 

about  completeness.  Gaps  break  some  existing  analysis  Ensure  full  sensor  coverage  so  that  every  flow 

products  and  decrease  network  situational  awareness.  passes  at  least  one  sensor. 

There  aretwo  types  of  tunnels,  tunnel  protocols  (e.g.  Teredo,  Place  sensors  on  the  "outside"  of  tunneling 
GRE  or  SSH)  and  subversive  tunnels  (e.g.  DNS,  ICMP  or  endpoints.  Choose  sensor  technologies  that  can 
HTTP  tunneling).  T  innels  thwart  many  monitoring  assist  in  the  detect  of  subversive  tunnels  (Y aF 

technologies.  labeling?,  Trickier?) 

Place  sensors  on  the  "outside"  of  proxies  so  that 
the  conversation  between  the  client  and  the  proxy 
is  visible.  If  this  is  not  possible,  provide  proxy 
Proxies  provide  security  and  perform  an  ce  some  applications  logs  in  near  real  time  to  security  processes  and 

such  as  web  surfing.  applications. 

Clouds  are  popular  in  classified  networks  too.  Classified  Group  similar  clouds  into  security  zones.  Tighten 

network  clouds  face  some  ofthe  same  challenges  as  Internet  access  controls  with  the  principles  of  least 

clouds.  privilege. 

Network  layer  taps  are  not  sufficient  to  monitor 
VMW are  has  become  a  popular  commodity  in  today's  network  virtual  networks.  Plan  for  virtual  sensors,  create 
design.  virtual  security  zones  and  network  chokepoints. 

We  recommend  that  sensor  stacks  should  include: 

-  an  IDS/IPS  (for  example  Cisco  MARS  or 
Sourcefire) 

-  a  flow  monitoring  and  storing  system  (SiLK, 
Argus,  or  NFSen) 

-  A  header  capture  and  storage  system  (Trickier) 

-  A  full  packet  capture  and  storage  system  (Nikson, 

It  is  common  for  procurement  and  operations  personnel  to  NetW  itness) 

assume  that  "sensor"  means  "Snort"  or  "Sourcefire".  While  -  An  application  layer  monitor  for  critical 
Snort  operates  at  layer  2,  and  that  allows  it  visibility  into  all  applications  (email  guards,  DNS  monitors,  SQL 
the  upper  layers,  other  applications  provide  critical  scrubbers,  web  proxies) 

functionality  that  Snort  does  not  provide.  -  A  security  information  and  event  manager 


Addressing  and 
naming 

Avoid  DHCP  as  much  as  possible.  Set  DHCP 
expiration  to  the  maximum  convenient  levels. 

Because  of  its  transitory  nature,  DHCP  complicates  most  Maintain  DHCP  logs  and  make  than  available  in 

Dynamic  Host  traditional  monitoring  and  analysis  techniques.  Attribution  is  near  real  time  to  security  processes  and 

Configuration  Protocol  much  more  complicated  in  dynamically  addressed  networks.  applications. 


Network  Architectural  Design  Decisions  that  Impact  Situational  Awareness 


Network  Address 
Translation 


NAT  complicates  most  traditkmalmonitoring  and  analysis  by  obfuscating 
the  source  and/or  destination  addresses.  It  also  frustrates  some  analysis 
techniques  such  as  operating  system  identification.  Even  if  it  is  possible 
to  associating  native  to  translated  addresses,  the  process  is  manual  and 
time  consuming  in  most  of  the  networks  studied. 

IPv4  is  recommended  because  it  is  more  mature  and  understood,  because 
vendors  provide  better  support  for  v4,  and  because  there  is  an  industry¬ 
wide  lack  of  expotise  with  IPv6.  Furthermore,  IPv6  depoids  on  a  suite  of 
immature  and  less  understood  supporting  protocols. 


Unique  domain  names  allow  for  identification  of  cross  domain  violations 
Choose  uiique  DNS  via  DNS  monitoring.  If  classified  and  unclassified  DNS  names  arethe 
names  same,  this  detection  is  more  complicated. 

Some  networks  we  studied  do  not  take  advantage  of  DNS  monitoring. 
DNS  data  enables  inventorying  the  name  grace  and  the  identification  of 
Harvesting  DNS  malicious  behavior,  malicious  content  distribution,  and  anomalous  IP 


queries  and  responses  addresses. 


_ Recommendation _ 

Avoid  NAT  where  possible.  Arrange 
for  oid-to-oid  connectivity.  If  NAT  is 
necessary,  monitor  both  sides  or  make 
detailed  NAT  logs  available  in  near  real 
time  to  security  processes  and 
applications. 


Use  IPv4  whenever  possible. 

Monitor  public  networks  for  the 
appearance  of  classified  name  requests 
and  monitor  the  classified  network  for 
the  appearance  of  unclassified  name 
requests. 

Monitor  DNS  and  create  DNS  query  and 
response  repositories  of  historical 
information.  See  also,  Sinkholes 


Operations  and 
Management 

Diagrams,  device  configurations,  and  address  inventories  are  incomp lete, 
not  maintained,  and/or  unavailable  in  the  networks  we've  studied. 

Sometimes  this  type  of  information  is  not  diared  freely,  hoarded  by  Architect  documortation  processes  into 

internal  competing  interests  (operations,  assurance,  security ,  a c.).  We  the  design.  Utilize  network  inventorying 
found  that  there  is  no  standardization  for  diagrams  and  inventories.  These  tools  so  that  documentation  processes 
Stovepiped  network  problems  lead  to  duplication  of  effort  and  increased  effort  when  are  automated.  Create  standardization 

knowledge  responsibilities  change  or  during  audit  time.  and  sharing  policies. 

Many  networks  spend  duplicate  effort  (and  duplicate  equipment) 

Eliminate  duplicate  monitoring  at  multiple  net  work  tiers.  Enclave  networks  promote  effort 
monitoring  duplication.  A  streamlined  security  monitoring  system  is  more  efficient 

responsibility  because  it  does  not  incir  division  of  labor  overhead.  Consolidate  monitoring  responsibility. 

Consider  the  impact  of  expanded 

Account  for  functionality  when  designing  the 

personnel  and  soisors  Many  classified  net  works  failto  anticipatethe  increased  workload  and  network.  Include  personnel  costs  in 

in  expansion  costs  equipment  costs  when  planningfor  network  growth.  classified  net  work  upgrade  budgets. 
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Hypothesis 


Several  common  closed  network  design  decisions 
adversely  impact  operational  security 

Therefore,  closed  network  security  can  be  improved 
by  selecting  certain  design  aspects 
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Predictions 

•  Zoning  of  closed  networks  will  lessen  the  number 
of  machines  affected  in  a  malware  worm  attack. 

•  Data  consolidation  will  allow  for  the  creation  of  new 
analysis  techniques  and  increased  situational 
awareness. 

•  The  collection  of  sinkhole  data  will  allow  discovery 
of  policy  violations  that  were  not  possible  before. 

•  Elimination  of  NAT  allows  for  faster  attribution. 

•  As  duplication  of  effort  is  decreased,  closed 
network  defense  becomes  less  expensive  and 
more  reliable. 
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Future  Work 

CLOSED  NETWORK  DESIGN 
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Experiment 


Create  test  closed  networks  and  compare  operation 
Use  production  closed  networks  as  a  test  bed 
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Future  Work 


Security  Capability  Model 
for  Networks 

•  Maturity  Level  5  - 
Optimized  Closed 
Network 

—Guard  Validation 
—Topology  Verification 
—  Sensor  Placement 
—Addressing  Planning 
—Operations 
—Organizational  Training 
—  Risk  Management 


Security  Capability  Model 
for  Networks 

•  Maturity  Level  4  - 
Defined  Border  Mgt 

—Guard  Management 

—Topology  Requirements 
Development 

—  Sensor  Optimization 

—Addressing  Management 

—Operations 
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